Re: User Privilege Levels.

[Gary Flynn <flynngn () JMU EDU>]

Karen Stopford wrote:
> Have any of you run into resistance when trying to reduce privileges, where faculty claims "academic freedom?"  Not a 
> technical question but a political one.  I am just wondering how you might have handled it.  You can email me offline if you 
> would like.

Karen,

We're just starting to convert Windows machines to non-administrator
accounts and haven't reached the academic areas yet so I can't speak
from experience under fire. But I'll throw my $0.02 worth in anyway. :)

Certainly, academic endeavors have a greater need for leeway in this
area than do administrative areas. On the other hand, those needs
don't extend to putting constituent data at risk.

If your risk assessment says that operating a computer with
administrative privileges presents unnecessarily high risk
in today's high threat environment ( and it should ), and
the mitigation you've chosen is to operate computers using
non-administrative accounts, then exceptions and the residual
risk implicitly accepted, must be approved ( and accepted )
by someone in authority.

One could make the argument that computers used to access
services containing constituent data or affecting services
must be operated with a non-administrator account while others
are sandboxed into their own area with almost no access to
campus resources.

Or a VM could be provided for academic exploration while the
primary machine, affecting constituent data and university
operations, is operated in the more conservative manner.
Not ideal, but a possibility.

We've chosen to deploy BeyondTrust Privilege Manager with
a "magic folder". A user is free to place a file in there
which, when executed, will run with elevated privileges
in the context of the user profile. While its certainly
possible someone might put happy_valentine.exe or
video_codec.exe or antivirus_2009.exe in that folder,
hopefully proper folder naming, location, and user
education will minimize the chances. In the meantime, the
rest of the operating environment, particularly the browser,
is operating with regular user account permissions.

Use of this functionality will be discouraged when there
are university packaged applications available and, in
general, for *administrative* ( as opposed to academic )
users without pressing business justification for software
installation on a university owned business computer. But
its a feature that should make the non-administrator
environment much more palatable to academic areas that
have a need to install more software and experiment more
with the computing environment.

Finally, most reasonable people, when the current threat
environment is demonstrated for them, will understand the
desire to move to non-administrator accounts. If there
are a few people who you cannot move to the less risky
environment, at least you've moved the others thus decreasing
the overall risk to your constituent's data and univeristy
services.






> Thanks,
> Karen
>
> C. Karen Stopford, CISSP
> Associate Executive Officer for I.T. Security
> CT State University System
> 39 Woodland Street
> Hartford, CT  06105
> (860) 493-0116
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim 
> Pollard
> Sent: Tuesday, February 24, 2009 12:12 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] User Privilege Levels.
>
> I can only speak from the department level but what we do is give everyone
> general user access and temporarily grant administrator access if necessary
> using group policy.  If administrator access is absolutely insisted upon we
> may permit it with the caveat that the user is responsible for ensuring
> security and receives limited support.
>
> ~Jim
>
> Jim Pollard
> Computer Systems Development Specialist
> Department of Biomedical Engineering
> University of Texas at Austin
> it () bme utexas edu
> 512.789.4345
>
> "The intelligent man is capable of overcoming problems and difficulties the
> wise man would have avoided in the first place."
>
> Rabbi Yusef Becher
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Gracie
> Sent: Monday, February 23, 2009 9:46 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] User Privilege Levels.
>
> We're in the midst of planning a rollout to Active Directory for our end
> user authentication, and so we'll be joining all college-owned end user
> computers to the domain. I'm curious about privilege levels. What sort
> of access are other institutions giving their users to their computers?
>
> * Are your users granted Administrative power over their own machines?
>
> * Do you have a uniform level for all employees, or does it vary by
> position?
>
> * Can an employee move between schemes, applying for greater access
> after passing a security training test or some similar mechanism?
>
> Thanks for any replies. Feel free to respond off-list, if you like.
>
> --Matt
>
> --
> Matt Gracie                         (716) 888-8378
> Information Security Administrator  graciem () canisius edu
> Canisius College ITS                Buffalo, NY
> http://www2.canisius.edu/~graciem/graciem_public_key.gpg


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature